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Abstract. The hidden subgroup problem (HSP) plays an important 
role in quantum computation, because many quantum algorithms that 
are exponentially faster than classical algorithms can be casted in the 
HSP structure. In this paper, we present a new polynomial-time quan- 
tum algorithm that solves the HSP over the group Z p r x Z q s , when 
p r jq = poly(logp r ), where p, q are any odd prime numbers and r, s are 
any positive integers. To find the hidden subgroup, our algorithm uses 
the abelian quantum Fourier transform and a reduction procedure that 
simplifies the problem to find cyclic subgroups. 



1 Introduction 

The area of quantum algorithms is reviewed in two noteworthy pa- 
pers [Tf2] . A wide class of algorithms deals with algebraic prob- 
lems p] and most of them can be casted as a Hidden Subgroup 
Problem (HSP) |3j. The HSP can be described as follows: given a 
group G and a coset-injective function / : G — > X on some set X 
such that f(x) = f(y) iff x ■ H — y ■ H for some subgroup H, the 
problem consists in determining a generating set for H by querying 
function /. We say that the function / hides the subgroup H in G or 
/ separates the cosets of H in G. A quantum algorithm for the HSP 
is said to be efficient when its computational complexity is polylog- 
arithm in the order of the group, i.e. 0(poly(log \G\)). There are 
many examples of efficient quantum algorithms for the HSP |lf5] . 
It is known that for finite abelian groups, the HSP can be solved 
efficiently in a quantum computer |3j. On the other hand, it is not 
known an efficient solution for a generic nonabelian group. Two im- 
portant groups in this context are the symmetrical and the dihedral 
groups. An efficient algorithm for solving the first one implies in an 



efficient solution for the graph isomorphism problem [6] and for the 
second one solves instances of the problem of finding the smallest 
vector in a lattice, with applications in cryptography [7J. 

An important strategy to solve the nonabelian HSP combines 
three methods: (1) the abelian Fourier transform, (2) the characteri- 
zation of all subgroups of the group G, and (3) the quotient group re- 
duction. This strategy was first employed by Ettinger and H0yer [8], 
that have reduced the HSP in the dihedral group to the problem 
of finding cyclic subgroups of order 2. Later on, also employing the 
same strategy, Inui and Le Gall [9J presented an efficient quantum 
algorithm for the HSP in groups of the form Z^ x Z p with prime p 
and positive integers r and m. Bacon et. al. |10| solved in polynomial 
time the HSP in groups of the form Z^v x Z 9 , for positive integers iV 
and prime q, such that N/q = poly (log N), reducing the problem to 
find cyclic subgroups of order q. Recently, Gongalves et. al. [11] pre- 
sented a class of efficient quantum algorithm for the HSP in Z p x 7L qa , 
with p/q = poly(logp), where p, q are distinct odd prime numbers 
and s an arbitrary positive integer. For an extensive description of 
solutions to the HSP, methods, and references, see Refs. |12|I3"] . 

In this work, we present a new quantum algorithm in polynomial 
time that solves the HSP in Z p r x Z g s, with p r /q = poly(logp r ), 
where p, q are distinct odd prime numbers and r, s arbitrary positive 
integers. This result extends the results obtained in Ref. [11], that 
are reproduced when r — 1. This work generalizes one of the results 
of Ref. [13J, which works for prime N. It also generalizes results of 
Ref. [13] for p-hedral groups and of Ref. [10J, which are reproduced 
when s = 1. 

The article is organized as follows. In Sec. [21 we define the semidi- 
rect product Z p r x Z gS and we characterize all subgroups. In Sec. [31 
we show that the HSP in Z p r x 7L qS can be reduced to the problem of 
finding cyclic subgroups. In Sec. 13.11 we present a polynomial-time 
quantum algorithm for the HSP in a class of groups of the form 
Z p r x Z q s . Finally, in Sec. [U we present our conclusions. 

2 The Structure of the Group Z p r x Z qS 

Let p, q be prime numbers and r, s positive integers. The semidirect 
product Z p r x^ Z q s, where Z p r and Z q s are cyclic groups and (ft : 



"Lqs — » Aut(Zpr), is a group homomorphism that defines the group 
product. The elements are (a, b), where a G Z p r, b G Z gS and the 
product of two element is (a,b)(c,d) = (a + <ft(b)(c),b + d). Note 
that x = (1,0) and y = (0,1) generate the group Z p r xi Zqs. Since 
Aut(Zpr) is isomorphic to Z*,-, the homomorphism is completely 
determined by a := 0(1) (1) G Z* r . The notation (a, b) is equivalent 
to x a y b and the commutation relation is y b x a = x aab y b . 

Observe that 0(0) = <fi(q s ) : Z p r — > Z p r is the identity element of 
the group Aut( Z p r). Then a qS = <j)(q s )(l) = 1. The element a G Z* r 
defines the semidirect product of groups Z p r x a Z ?s , if it satisfies 
the congruence equation X qS = lmodp r . In this case, we must have 
ord(a) = q l for some t = 0, . . . , s. The case t = reduces to the 
direct product of groups Z p r x Z gS , which is an abelian group. An 
efficient solution for the HSP is known for this case. From now on 
we consider 1 < t < s. 

For all prime p and positive integer r, the group Z*,- is cyclic. 
Let u G Z* r be an arbitrary generator of this group. Then ord(w) = 
p r ~ 1 (p — 1) and a = u k , for some integer 1 < k < p r ~ 1 (p — 1). Thus 
a q = u kq = lmodp r p — 1 | kq l . Because p and q are distinct 
prime numbers, we must have q l \ p — 1 and k = — — Jf , for some 
/ G Z* t . Thus, for each 1 < t < s and / G Z* t , the number 

a := u ? 

defines a semidirect product of groups, that will be denoted by 

G t ,l = Z p r X Q ZgS. (2) 

The parameter Z in Eq. (fl|) is disposable, because the group Gt,i 
is isomorphic to G^i, for all I. Next theorem states this fact. 

Theorem 1. G tii ~ /or a// / G Z* t . 

Proof: Consider the mapping <P t i : — > G t j defined by 
<P t j(x a y b ) = x a y l b . Notice that there is an unique inverse Z -1 of 
/ G Z* t . Thus, given x a y b G Gtj there is an unique x a y lb G Gt,i such 
that <P tt i(x a y lb ) = x a y b . Then is one-to-one. It is easy to verify 
that <P t j(x a y b x c y d ) = ^ i j(x a |/ f) )^ ti /(x c ?/ d ), therefore <P t j is a group 
isomorphism. 



(1) 



Let us denote Gt,i by Gt, where the homomorphism a is given by 
Eq. ([1]) with I = 1. Using the relation y b x a = x aab y b and making an 
induction on k, we verify that 



where q l = ord(a). 

Now we are able to list all subgroups of G t = Z, p r x Zgs by stating 
the following 

Theorem 2. The subgroups of Gt are 



Proof: In the appendix. 

■ 

3 The Quantum Algorithm 

In this section, we show that the HSP in Gt can be reduced to the 



problem of finding cyclic subgroups of the form (x a y q ), where a 



is an arbitrary element in the cyclic group Z p r and < j < t. 
Afterward we present an efficient quantum algorithm for the HSP in 
G t for t = 1. 

Let / be the oracle function that hides the subgroup H in G t - 
It follows from Theorem [2] that there are two cases for H, either 

(xP > y q j or (x p \ x a y q j. The parameters to be determined are i,j 
and a. Parameter a is the most difficult one to address. The algorithm 
that determines the value of a will be presented in Sec. 13.11 

The general idea of the algorithm is the following. Let H x = 
H n (x) and H y = H D (y). Consider function f x defined by f x (a) = 
/(a, 0), which hides H x in Z p r. Analogously, consider function f y 
defined by f y {b) = /(0, b), which hides H y in Z gS . The solution of the 
HSP in the abelian groups Z p r and Z gS with oracle functions f x and 
f y determines generators for the subgroups H x and H y , respectively. 







These subgroups have the form H x = (^x p J and H y = (^y q y, for 
some < i < r and < j < s. From now on we assume that i and 
j are known. If j > t then H = (x p 'y qJ ) (Theorem [2]), otherwise we 



learn that H = (^x p \ x a y q j. In the last step we run the algorithm of 

Section [3TT1 to find the value of a in polynomial time and with high 
probability. 

We end this section by analyzing the time complexity of classical 
algorithms for solving the HSP in G t - It follows from Theorem [2] 
that Gt has fl{p r ) subgroups. Therefore, the HSP cannot be solved 
efficiently by a classical computer by performing an exhaustive search 
for the subgroups of Gt- The methods known in the literature, such 
as the ones presented in Refs. [T3|T5] for groups with commutators 
of polynomial size and for nilpotent groups with constant nilpotency 
class, cannot be employed in this context. A remaining method is 
the following. The HSP in Gt can be efficiently solved by finding 
two distinct elements g\ and #2 in Gt-, such that f(gi) = f{g2)- Let 
us show that such collision solves the HSP. For each < j < s, 

function / is promised to hide subgroup H = (^x a y q:> ^. Then, if we 

know two elements gi and #2 such that f(g±) = f{g2), we will obtain 
92 1 9i H- Using that g^gi = x u y v for some u G Z p r and v G 
we have that g^ 1 gi G H if and only if 



for some k = 0,...,q s J — 1. From Eq. (J3J), it follows that a = 

u modp r <^ q l \ v . Now the question is: What is the probability 
that q f \ v is true? Suppose that v is an integer multiple of q f , this 
is, q l I v. Since v G Z gS , there exist q s ~ f integer multiple of v in 7L q s. 
The probability of v being in Z qS and being an integer multiple of 
q l is ^p- = Jj. Then the probability of v being in Z gS and q l \ v is 
1 — \. With probability 1 - ^ w 1, the HSP in G t reduces itself to 
the problem of finding elements g\ 7^ g 2 such that f(gi) = f{g2)- The 
problem of finding distinct elements gi and #2 such f(gi) = f{g2) is 
known as the collision problem. In that case, the function / is said to 





be g^-to-ona^l, and the time complexity of the classical algorithm 
for this problem is G(y/jfql), see Ref. [16J. Therefore, the lower limit 
of the classical algorithm for the HSP in G t is ^(y/jf). 

3.1 Case H = (x a y q 

In this section, we present an efficient quantum algorithm that solves 
the HSP in G t = Z p r x Z gS when p r jq = poly (log p r ). 

The HSP in Z p r x 1, q s can be reduced to the problem of finding 
cyclic subgroups generated by x a y qJ , which has order q s ~K We de- 
scribe a procedure that, given a function / that hides the subgroup 
H = (x a y qJ y in Z p r x 7L q s , efficiently determines the value of a with 

high probability, when t — 1. For t > 1, we argue that there is no 
efficient solution. The procedure is the following one: 

1. Initialize the quantum computer in the state 

p r -lqr*-J_l 

|gr 1 ) = _==5] £ |ro) |n> . (5) 

V? P m=0 n=0 

The arithmetical operations in the first ket (second ket) are per- 
formed modulo p r Note that the left cosets of H are 



= {x mo+aanos{n) y no+nq \ n = 0, . . . , q s - J - l} , (6) 
for each mo € Z p r, no € Z 9 j and 



S(n) = : mod p r . (7) 

2. Measure the third register of state in the computational ba- 
sis. The state after the measurement is 

\y 2 ) = ^= \m + aa no S(n))\n + nq j ), (8) 



for some < tuq < p r and < uq < q l ~i unknown and uniformly 
distributed. We discard the third register from now on, because 
it is not relevant in what follows. 



3 A function / : X — > Y is said to be m-to-one, when there are m elements in X that 
are mapped to the same element in Y. 



3. Apply the Fourier transform F% pr g) J to the state l^)- The result 
is 



1^3) = -4^E q j2^T° +aan0Sin)) \k) ho + ngi) , (9) 

where w p r is to p r -th primitive root of the unity. 

4. Measure the first register in the computational basis. Assume 
that the result of the measurement is some element k e Z* r . 
Then, the state after the measurement is 

1*4) = -7= y ^ (mo+m "° s(n)) |Jfco) Ino + V) . (10) 

The probability of obtaining the state \^) is 1 — 

5. Apply the operator U, defined by 

U \m) \n) = \mS{n)) n - S' 1 (^j^j \ ; (n) 
to state 1^4). 

Operator U is not unitary in general, because S(n) is not injective 
in general. However, for n in Z g t-j, Lemma [A2I ensures that S(n) is 
injective, and therefore U is unitary. We must impose t — j > t — 1, 
which implies j = 0. It follows from Theorem [2] that j = when 
t = 1. Taking t = 1 and applying U to l^) one obtains 

|*s) = -4= V uo k / mo+aS{n)) \k S(n)} |0> . (12) 

Our goal now is to obtain parameter a present in state ^5). We 
will use the following argument discussed in Ref. [10]. Consider the 
state 



1 o'-J'-l 



J=0 

t 



Notice that an application of the inverse Fourier transform F% r to 
the state \a) returns the value of a with high probability. State \a) has 



information about parameter a. What do we learn about a measuring 
state 1^5)? Is there a relation between \a) and ($5)? Those questions 
can be answered using the notion of quantum fidelity. 

The fidelity between the quantum states \a) and |^) (discarding 
ket |0) of I #5)) is given by |(6|fl^)| = */-r. Then, applying the 



v 

pF = ^p'+i 9 ■ Now, we run the algorithm I 



inverse Fourier transform F% r to state ^5) and afterward measuring 
the result in the computational basis, we obtain the value of a with 
probability |(5 l^s)] 2 = -v- The total success probability of obtaining 

the value of a is 1 — - 

v 

r + l 

times, where I = 2 { P -i) q = O (poly (log p T ')), to obtain the value of a 
with probability 1/2. 

Theorem 3. There is a quantum algorithm that solves, in polyno- 
mial time with success probability greater than 1/2, the HSP in the 
group Z p r x Z q s when p r /q = poly(logp r ) ; where p, q are distinct 
prime numbers and r, s are positive integers. 



4 Conclusions 

We have presented a quantum algorithm in polynomial time for solv- 
ing the HSP in a class of noncommutative groups Z p r x Z gS , where 
p, q are distinct prime numbers and r, s are positive integers. Using 
the classification of the subgroups of Z p r x Z ?s , we have showed that 
the HSP can be reduced to the problem of finding cyclic subgroups. 
The algorithm has success probability greater than 1/2 and requires 
that p r /q = poly(logp r ) and £ = 1. For t > 1, it seems that there 
is no unitary operator that reveals the parameters that describe the 
hidden subgroup. 

This work generalizes previous results. It generalizes the results 
of Ref. [13] for p-hedral groups and Ref. [10], which are obtained from 
our results by setting s = 1. It generalizes the results of Ref. [11] , 
which are obtained from our results by setting r = 1. In Ref. [13] , 
the authors employed the nonabelian Fourier transform. It would be 
interesting to analyze the possibility of obtaining similar results for 
the HSP in Z p r x Z g « using nonabelian Fourier transforms. 
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A Proof of Theorem [2] 

The proof of Theorem [2] uses two lemmas. The first one characterizes 
the cyclic subgroups of G t . 

Lemma Al The cyclic subgroups of G t are 

i) (x a y q:>Ss j , for < a < p r and < j < t. 

ii) lx pl y q3 ), < i < r and j <t < s. 



Proof: Let H be a cyclic subgroup of G t . Then H = (x a y b } for 
some a G Z p r and b G Z* q s. Let p 1 = gcd(a,p r ) for some % = 0, . . . , r 
and qi = gcd(6, q s ) for some j = 0, . . . , s. Then, there are integers 
u G Z* r and v G Z* a such that a = up 1 and b = vq\ respectively. 
There are two cases to consider with respect to parameter j: < 
j < t and j > t. In the first case we have (x a y b ) v = (x a y vqJ ) v = 



ijcfl 1 -1) 



x ab - 1 y ql G ( x x a y b ^ . Notice that there is v 1 such that vv 1 = 1. 
Then v G Z* s . Taking a' = a( -^_~ 1 ^ we have that x a 'y qJ G (x a y b ^. 



Since oid{x a y b ) = oTd(x a 'y qJ ) = q s J ', we have (x a y q j = (x a y b ^ , 

whenever q 1 \ b, for every < j < t. Then H is in class i) of 
Theorem [1 If j > t, then (x a y 6 ) fc = (x upl y vq3 ) k = x uplk y vq3k = 

e k = p r ~ l q s ~i . Besides x p \y qJ G (x pt y q ), then (x up *y vq ) C 



x pl y qJ ). Since 



x pl y q3 



x up l yVq J 



- pr j we jjgyg that 

(x a y b ^ = (^x upl y vq:> ^ = (^x pl y qJ ^. Then, we conclude that H is in 
class ii). 



Lemma A2 Let a be the homomorphism that defines Gt- For all 
b G such that q l \b we have a b — 1 G Z* r . 

Proof: Suppose by contradiction that a b — 1 G^ Z* r . Then, there 
is an integer number A; G Z p r such that a b = kp + 1. Using the 
binomial expansion, we obtain a 6pr = (kp + l) fepr = 1 mod p r . 
Since ord(a) = q l , we have q l \ bp T ~ x . This is a contradiction, since 
g* { b and p, g are distinct primes. Then a b — 1 G Z* r . 



Proof of Theorem [2] Let H be a subgroup of G t - If H is cyclic, 
Lemma IA1I states that H is either in class i) or in class ii) with 
i = r. Suppose that H has a generating set with n elements, where 
n is a positive integer: H = (x ai y bl , . . . , x a,l y bn y If q l \ b k for all 
k = 1, . . . ,n, let p %k = gcd(a k ,p r ) and q ik = gcd(b k ,q s ), with u k G 
Z* r , Vk G Z* s , for all integer numbers < i k < r and t < j k < s. 

Then if = (^x p ' 1 y qn , . . . , x pl ™ y ?J ™ ^ . Define i = min-j^!, . . . ,i n } and 

j = min{ji, . . . ,j n }. Then, for all k = 1, . . . , n we have i k = i + i^,, 

jfc = 3 + j'ki f° r some i' k G Z p r, j£ G Z q s. Then x p!fc 



(x pl ) pIfc G and = y q3+3k = (y q3 ) q3k G (V). This result 



implies that x plk y q3k G (x p \y q3 j. Since (x p \y q3 j = (x pl y q3 
have a***^* G (x pl y qjA J. Then # C (x^y^. Note that x pik ,y q3k G 

if for all fc = l,...,n. Then x pl y q3 £ H and H = (x pl y q3A J. We 

conclude that H is in class i). On the other hand, if q t \ b k for all 
k = I, ... ,11, then the generators of H can be written as x ak y VkqJh , 
where t> k G Z* s with < j k < t. Then, for each k, I — 1 . . . , n with 
k ^ I, the commutator of the generators x ak y bk and x a 'y bl is 



x ak y bh ,x ai y bl 



x a k +ai.a u k -a k a m -a t _ ^klPM ^4) 



for some 7^ G Z* r and < i k i < r. Let i = minjifc/, A;, / = 
l,...,n e A; 7^ /} and suppose with no loss of generality that 
ord(x a "y bn ) = q s ~ j " > oid(x ak b bk ) = q s ~ jk =^ j k > j n , for all 

k = 1, ... ,n — 1. Then, we state that H = (x p \ x an y bn ). In fact, 



it is easy to conclude that (^x p ,x a "y "j C H. We simply need to 
verify that x ak y bk G (x pl , x an y bn ^. In fact, if x ak y bk is in subgroup 
x p \ x an y bn ), then there are positive integers M and N such that 



x ak y bk =x Mpl+an2 ^y NK . (15) 

This above equation implies that 

a k = Mp l + a n a ^Z^ mod p r ; , . 

b k = Nb n mod q s . { ' 



This system of modular equations has solutions, since b k = 
Nb n mod q s =>• v k q jk = Nv n q jn mod q s =>■ N = v k v~ x q ik ~^ n . To 
find M, we note that 

(a bk - 1) 

Mp l = a k -a n K — ± (17) 

a° n — 1 

From Eq. (jHJ), it follows that Mp 4 = 7fc n p lftn (l — a 6 ") -1 . Using « < 
z fcn , we obtain M = ^knP tkn ~ l i)- — a 6 ") -1 - Then 

H — (x p \x an y bn \ . (18) 



From Lemma IA"2l we conclude that there is the inverse (1 — a bn ) _1 

From Lemma \XT\ the cyclic subgroup (x an y bn ^ has the form (^x a y q:> 

for some a G Z p r and some integer number < j < t. Then H = 

\x pt , x a y qJ ^ is in class ii). Finally, let us suppose that subgroup H 

can be written as H = (x ai y bl , . . . , x an y bn ^j for some n G N with 
indices 1 < j\ < j 2 < . . . < jk < n such that q % \ bj x , . . . , q t \ bj k . 
Suppose that ji — 1, . . . ,j k = k, then H can be written as 

H = (x ai y h \. . . , x ak y bk ,x ak+1 y Vk+iqJk+1 x a "y Vnq3 " } (19) 
x pi ,x a y q \x pl y qm ) , (20) 



for some integer numbers < i, I < r, < a < p r , < j < t and 
< m < s. Define A = min{i,/}, then H = (x p% , x a y q \ x pl y qm ^ = 

x x y qm , x a y qJ J . Since y qt = (x a y ql ) qt 1 G (x a y qJ ^, we have y qm G 

x a y qJ ^ for m = t, . . . , s. This result implies that H = (^x pX , x a y 
Again we show that H is in class ii). This ends the proof. 



